Don’t Sling Your Data Around in Singapore

Singapore: it is the globe’s fourth-largest financial center and the only Asian nation with a top AAA rating from the three primary credit rating agencies. But, despite its reputation as one of the most business-friendly countries in the world, organizations that do business in Singapore—including data intermediaries that process the data of Singaporean residents—should evaluate the impact of the country’s recently adopted Personal Data Protection Act (PDPA).

The law defines personal information as data about a resident of Singapore that can be used to identify that individual. The information need not identify an individual on its own; it is sufficient if an organization has access to or possesses other information that it can combine to identify the person. Given the breadth of this definition, organizations should take note of the following PDPA provisions:

Consent: Under the PDPA, organizations, regardless of their location, must obtain an individual’s consent before collecting, using, or disclosing the personal information of individuals who reside in Singapore.

Notice: Organizations must notify individuals of the reasons for collecting, using, or disclosing the personal data before doing so.

Access: Individuals are entitled to request their personal data from organizations, along with a description of how it has been used or disclosed within the last year, and to ask organizations to correct any errors.

Security: Organizations must take steps to protect personal data from unauthorized access.

Retention: Organizations cannot keep personal data longer than a reasonable amount of time to satisfy the purpose for which they collected it. After that point, they should delete the data or anonymize it.

Transfer: If organizations want to transfer personal information outside of Singapore, they must make sure that the recipient will provide protections similar to the PDPA.

Policy: Organizations should adopt data-privacy policies and procedures that allow them to comply with the PDPA, including a method for handling complaints. They should also appoint a data protection officer to ensure compliance with the law.

Though the law does have an exception to obtaining consent from data subjects where the use is “necessary for any investigation or proceedings,” it is not clear whether U.S. litigation or regulatory investigations would qualify. Therefore, with penalties of up to U.S. $800,000 and jail time at stake for violations, organizations that do business in Singapore should look closely at their data collection practices and policies and determine whether they may violate the PDPA.

Specifically, they should study the data they collect; if they are stockpiling more information than they need simply because it is easy and inexpensive to do so, they should make efforts to restrict their collection. They should also find out whether they are storing data in Singapore and consider moving it to a different jurisdiction. In addition, they may want to appoint a data protection officer if they have not done so already—in fact, this is a prudent measure for any global organization, given the proposed changes to data privacy regulations in the European Union. Finally, organizations should make sure that their third-party providers who handle data have adequate privacy and security measures in place to meet the stringent PDPA requirements.